The Trump administration paused FCPA enforcement in February 2025 — does that mean third-party DD is no longer necessary?

No — third-party DD obligations went UP in 2025-26, not down. Here is the verified record. On February 10, 2025, President Trump issued an Executive Order titled 'Pausing FCPA Enforcement to Further American Economic and National Security' directing the Attorney General to pause all new FCPA enforcement for 180 days (extendable to 360), review existing matters, and issue revised guidelines — the first pause in the FCPA's 47-year history. On February 5, 2025, AG Pam Bondi had issued a memo redirecting DOJ focus to bribery tied to cartels and TCOs rather than general anti-corruption. On June 9, 2025, Deputy AG Todd Blanche issued the revised 'Guidelines for Investigations and Enforcement of the FCPA' replacing prior policy — four-factor analysis ((1) Combating Cartels and TCOs as the priority; (2) Safeguarding Fair Opportunities for U.S. Companies; (3) Advancing U.S. National Security in defense / intelligence / critical infrastructure; (4) Investigating Serious Misconduct with strong indicia of corrupt intent), excluding routine business practices, requiring enhanced senior-DOJ-level approval. Result: 2025 was the lightest FCPA enforcement year in 10-plus years (only 2 corporate resolutions, including 1 declination-with-disgorgement, plus 1 corporate indictment; SEC FCPA Unit effectively dissolved with zero FCPA actions; 5 individuals charged versus 19 in 2024). But the obligations migrated to other regimes. The **Compliance Vacuum Paradox**: companies that 'stand down' on third-party DD now face more risk, not less — because (a) UK Failure to Prevent Fraud strict liability took effect September 1, 2025; (b) UFLPA detentions jumped 51 percent to 7,325 shipments in FY2025; (c) OFAC enforcement increased 5x to over $262M across 14 actions; (d) UK / France / Switzerland Anti-Corruption Prosecutorial Taskforce launched March 20, 2025 as explicit counterweight to US retreat; (e) Iran snapback sanctions reimposed September 27, 2025 expanded banking-sector exposure; (f) DOJ's September 2024 Evaluation of Corporate Compliance Programs still demands third-party DD as a compliance hallmark; (g) DOJ March 10, 2026 first-ever Department-wide Corporate Enforcement Policy unified the framework. The structural read: enforcement migrated jurisdictions and statutes; the DD work itself expanded.

What does the 5-Jurisdiction Exposure Map look like for a US-based multinational in 2026?

The **5-Jurisdiction Exposure Map** is the proprietary frame Peony uses for compliance-led third-party DD scoping in 2026. The five jurisdictions whose third-party DD obligations a US-based multinational must satisfy concurrently: (1) **US FCPA** — paused enforcement but obligation intact under DOJ ECCP and successor liability for M&A; (2) **UK Failure to Prevent Fraud** (ECCTA 2023, effective September 1, 2025) — strict-liability corporate offense, unlimited fines, applies extraterritorially to any organization with UK nexus where an employee or agent or associated person commits fraud for the org's benefit absent 'reasonable fraud prevention procedures'; SFO's November 2025 updated Corporate Compliance Guidance plus Director Nick Ephgrave's statement 'Come September if they haven't sorted themselves out we're coming after them' signals telegraphed first prosecution; (3) **EU CSDDD** — Omnibus simplification published in Official Journal February 26, 2026, narrowed scope to greater than 5,000 employees and €1.5B-plus net worldwide turnover (Phase 1) with application deferred to July 26, 2029 — but contractual flow-down from larger covered customers means practical DD obligation arrives 18-24 months before formal applicability; (4) **China counter-sanctions** — China's Anti-Foreign Sanctions Law plus its Unreliable Entity List create reciprocal exposure for companies that comply with US/EU/UK sanctions on Chinese persons; (5) **Russia counter-sanctions** — Russia's Special Economic Measures Law since 2018 and the 2022-25 amendments expanded liability for foreign businesses operating in Russia. The map's diagnostic value: most companies design third-party DD around one or two regimes (typically FCPA + OFAC) and underweight the other three. The September 2025 UFLPA detention surge plus the UK FTPF strict liability are the two largest under-anticipated exposures for 2026.

What is the 4-Tier Third-Party Risk Pyramid, and how should we tier our third parties for DD depth?

The **4-Tier Third-Party Risk Pyramid** is the proprietary tiering framework Peony uses, synthesized from DOJ ECCP plus UFLPA priority sectors plus OFAC gatekeeper liability: - **Tier 1 (Maximum DD):** Foreign government touchpoints (FCPA: agents, distributors, customs brokers, license expediters in foreign government interactions), Xinjiang-nexus suppliers (UFLPA priority sectors as of August 19, 2025 DHS Strategy Update: cotton, apparel, polysilicon, tomatoes, PVC, seafood, aluminum, plus newly added caustic soda, copper, lithium, red dates, steel), SDN-adjacent counterparties (OFAC primary sanctions targets and their ownership chains), and Tier-A high-risk geographies per Basel AML Index 2024 top-risk (Myanmar #1, Haiti #2, DRC #3) and Transparency International CPI 2024 bottom-quintile (North Korea, Syria, Yemen, Equatorial Guinea, Turkmenistan). - **Tier 2 (Elevated DD):** Cross-border payment intermediaries (especially in jurisdictions with weak counter-terrorism financing per FATF blacklist — Iran returned to FATF blacklist October 2024), distributors in countries below 50 on Transparency CPI 2024 (global average 43 for 13th consecutive year, two-thirds of 180 countries below 50), financial gatekeepers (VC funds, real estate syndicators, attorneys handling cross-border transactions — see the GVA Capital $215.99M OFAC penalty 2025 establishing gatekeeper liability for non-bank intermediaries). - **Tier 3 (Standard DD):** Operating vendors in CPI 50+ countries, common commercial counterparties without foreign-official touchpoint. - **Tier 4 (De minimis DD):** Domestic operating vendors with no foreign-official exposure, no Xinjiang supply-chain trace, no sanctions-adjacent ownership. The tiering drives DD review cost: Tier 4 may be automated screening only ($200-$500 per review per Pivot Point Security 2025 benchmarks); Tier 3 automated plus light manual artifact (~$1,000); Tier 2 end-to-end with limited automation ($2,500-$3,000); Tier 1 enhanced DD with investigative reports plus potential onsite audit ($6,000 per review for high-risk vendor; $15,000-$20,000 for onsite audit of critical Tier 1 third party). The DOJ ECCP September 2024 update specifically calls out 'risk-based' DD — meaning tiering is no longer optional, it is the expected baseline.

The UFLPA detentions jumped 51 percent in FY2025 — what does the 'Polysilicon Trace Test' actually look like, and which sectors are now in scope?

Customs and Border Protection (CBP) stopped 7,325 shipments for UFLPA review in FY2025 — a 51 percent increase over FY2024's 4,850. The China-origin denial rate rose to 77 percent in 2025 (up from approximately 60 percent in 2024). Cumulative June 2022 through July 2025 statistics: 16,755 shipments detained, $3.69B in goods, 10,274 denied entry, 5,783 released. **82.8 percent of detentions are from China**, per CBP's UFLPA Dashboard. The UFLPA Entity List reached 144 entities as of August 2025 (up from 66 in 2024) — 78 entities added in 2025 alone. January 15, 2025 additions: 37 entities including 26 cotton (notably Huafu Fashion plus 25 subsidiaries), 6 silicon/solar, 5 mining. The **August 19, 2025 DHS Strategy Update** added five new high-priority sectors: caustic soda, copper, lithium, red dates, steel — alongside the pre-existing high-priority list of aluminum, apparel, cotton, PVC, seafood, polysilicon, tomatoes. The **Polysilicon Trace Test** (proprietary frame) reflects a structural shift: CBP detentions are now targeting smaller, lower-value components further down supply chains rather than headline large shipments — meaning the FY2025 total goods value is actually DOWN from cumulative averages even as shipment count jumped. The diagnostic: if your product contains any processed silicon, check origin three tiers deep, not just direct supplier. The same logic now applies to aluminum (automotive harness wiring, EV battery casings), cotton (apparel sub-components), and copper (newly added — affects electrical, semis, EV). The House Select Committee on the CCP report found Shein and Temu likely responsible for 30-plus percent of all US daily de minimis packages, with Temu admitting no UFLPA audits and no Xinjiang-origin product ban — driving Congressional pressure on de minimis loophole closure that may further constrain supply-chain trace exemptions.

OFAC enforcement increased 5x in 2025 to over $262M across 14 actions — what does the GVA Capital case establish, and what does 'gatekeeper liability' actually mean?

OFAC 2025 total penalties: over $262M across 14 enforcement actions, versus approximately $49M in 2024 — a 5x increase per Sidley's 'Five Key Takeaways from 2025 US Sanctions Enforcement' (February 2026). The **GVA Capital $215.99M penalty in 2025** was the third-largest OFAC penalty since 2019. GVA Capital is a San Francisco-based VC fund that managed assets of an SDN-designated Russian oligarch from 2018 through 2021. The case established the **Gatekeeper Liability Doctrine** (proprietary frame): non-bank financial intermediaries — VC funds, real estate syndicators, attorneys, family offices, asset managers — must now perform bank-grade third-party DD on counterparties even if not regulated as banks. The implication for M&A buyers, VCs, asset managers, and law firms with international clients: an OFAC-equivalent screening procedure (SDN list match, EU Consolidated List, UK OFSI, sectoral sanctions, and 50-percent rule ownership chain analysis under OFAC's Recent Sectoral Sanctions Identifications) is now functionally required at intake, not optional. The broader 2025 OFAC enforcement themes: Russia SDN additions fell 85 percent under the Trump administration (only 74 Russian persons designated in 2025 versus the 507 per year average 2022-24), with zero Russian Entity List additions; conversely, China-related designations dominated, largely for Iran sanctions evasion (per CNAS's 'Sanctions by the Numbers 2025 Year in Review'). January 10, 2025 OFAC imposed new Russian energy sanctions targeting Gazprom Neft, Surgutneftegas, 183 vessels, and oil traders — a new determination prohibits US petroleum services in Russia effective February 27, 2025. Combined with the UN Snapback on Iran reimposed September 27, 2025 (E3 — France, Germany, UK — pulled the Resolution 2231 trigger on August 28, 2025), the 2025-26 sanctions environment is the most aggressive enforcement landscape on the OFAC + UN side even as US FCPA enforcement collapsed.

The EU CSDDD was rewritten by the Omnibus simplification — what does the new timeline and scope look like, and who is actually obligated to do third-party DD under it?

The EU Omnibus Directive was published in the Official Journal on **February 26, 2026** (following Council adoption February 24, 2026 and Parliament adoption December 16, 2025), simplifying CSDDD and CSRD. The CSDDD transposition deadline was deferred to **July 26, 2028**, with application to **July 26, 2029**. The Omnibus narrowed CSDDD Phase 1 scope: now applies only to EU companies with **greater than 5,000 employees and €1.5B+ net worldwide turnover** (previously 1,000-plus employees and €450M+); the €450M / 1,000+ employee tier is deferred to approximately July 2029 in a subsequent phase. Non-EU companies in scope: €1.5B+ Union-generated turnover threshold (the prior €450M non-EU threshold was raised parallel to the EU-side narrowing). National implementation status: Germany's LkSG (Supply Chain Due Diligence Act) enforcement was narrowed October 1, 2025 — BAFA discontinued report reviews; fines now imposed only for 'particularly serious' breaches by extent, scope, or irreversibility; September 2025 draft law proposed abolishing the reporting obligation entirely (though underlying DD obligations remain). Norway's Åpenhetsloven (Transparency Act) continues to apply to approximately 9,000 companies with annual DD report by June 30 and fines up to 4 percent of turnover or NOK 25M (about $2.4M). The **CSDDD Plateau** (proprietary frame): companies in the €450M-€1.5B revenue band now have a 3-year window of regulatory respite at the EU-statute level — but contractual flow-down from larger covered customers means the practical DD obligation arrives EARLIER for mid-market suppliers than the formal timeline indicates. The Contractual Flow-Down Forecast diagnostic: survey your top-10 EU enterprise customers' CSDDD readiness, because their compliance burden cascades to you 18-24 months before formal CSDDD applicability. The other forcing function: ESG-driven procurement standards from large EU corporates often exceed the statutory minimum, so practical DD activity is already well above what the rewritten directive requires.

What is the 5-Layer Screening Stack we should run on every third party in 2026, and what red-flag thresholds matter at each layer?

The **5-Layer Screening Stack** (proprietary frame) is the sequenced flow Peony recommends for third-party DD in 2026: **Layer 1 — Sanctions screening:** OFAC SDN list, EU Consolidated List, UK OFSI list, plus ownership chain analysis under OFAC's 50 Percent Rule (any entity 50-percent-plus owned by SDN parties is itself blocked). Red-flag threshold: any match (including phonetic and transliterated matches) requires immediate hold and enhanced DD before any further engagement. The GVA Capital $216M penalty case shows that even indirect SDN exposure through asset management creates direct liability. **Layer 2 — UFLPA Entity List + supply-chain trace:** Check direct supplier against UFLPA Entity List (144 entities as of August 2025), then trace supply chain 3 tiers deep for any of the 12 high-priority sectors (cotton, apparel, polysilicon, tomatoes, PVC, seafood, aluminum, caustic soda, copper, lithium, red dates, steel). Red-flag threshold: any tier-3 trace to Xinjiang or named UFLPA entity requires either rebuttable presumption documentation per UFLPA Section 3 or supply-chain remediation before continued sourcing. **Layer 3 — PEP / Beneficial Ownership / Adverse Media:** Politically Exposed Person screening (LSEG World-Check, Dow Jones R&C, LexisNexis Bridger), Ultimate Beneficial Owner ID — note that FinCEN exempted US companies from BOI reporting March 21, 2025 under the Corporate Transparency Act, so DD providers must work harder for US-domestic UBO via alternative state filings; foreign reporting companies remain obligated. Adverse media screening across multiple languages (Mandarin, Russian, Arabic, Spanish, Portuguese minimum for global third parties). Red-flag threshold: any PEP, any UBO obscurity, any adverse media tagged Anti-Bribery / Anti-Corruption / Sanctions / Fraud requires enhanced DD. **Layer 4 — Anti-Bribery History + Country Risk:** Recent ABC settlements (RTX/Raytheon October 2024 $950M total with $124M+ FCPA portion; Trafigura March 28, 2024 $126.9M FCPA plea for Brazil Petrobras bribes; SAP January 2024 $220M+; Albemarle 2024-25; ABB; Honeywell), country risk score (Transparency CPI 2024 global average 43, two-thirds of 180 countries below 50; Basel AML Index 2024 across 164 jurisdictions; TRACE Bribery Matrix 2024 edition (most recent available as of May 2026) with Norway 7 / Switzerland 10 cleanest and North Korea 92 / Turkmenistan 88 / Syria 86 highest risk). Red-flag threshold: country CPI below 40, or counterparty with prior ABC enforcement action in any jurisdiction, triggers enhanced DD. **Layer 5 — ESG / Forced Labor / Sustainability:** Beyond UFLPA — Norway's Åpenhetsloven, residual Germany LkSG, EU CSDDD readiness (even if not yet applicable, contractual flow-down forecast), conflict minerals (Dodd-Frank 1502 Form SD filings continue although SEC has not actively enforced the Independent Private Sector Audit element since 2017). Red-flag threshold: missing supply-chain traceability documentation, missing supplier code of conduct attestation, or supplier in flagged commodity sector triggers ESG enhanced DD. For each layer, the cost-per-third-party scales from approximately $200 fully automated (Layer 1 only) to $20,000 onsite audit of a critical Tier 1 third party (all 5 layers plus investigation report).

Which third-party DD platforms should we evaluate in 2026, and what's the honest tradeoff between data providers and workflow platforms?

The third-party DD platform market is bifurcated into (1) **data providers** selling sanctions / PEP / adverse media / ownership lists and feeds, and (2) **workflow platforms** wrapping data into screening plus audit-trail orchestration. Most large enterprises use one of each. Honest landscape: **LSEG World-Check** (formerly Refinitiv, now London Stock Exchange Group) — strongest in PEP and regulatory watchlist depth. **Dow Jones Risk & Compliance** — 3M+ companies and individuals, broader feature set including adverse media, risk scoring, sanctions, ABC, ESG, financial crime, export controls. **LexisNexis Bridger Insight XG** — sanctions, PEP, negative news screening integrated with LN Risk identity ecosystem. **Moody's** (Orbis + Maxsight) — strong corporate ownership analytics via Orbis, sanctions screening plus securities mapping. **NICE Actimize WL-X** — AI-driven sanctions screening with ML and real-time analytics, strong in banking transaction screening. **ComplyAdvantage** — AI-native AML data with continuous monitoring rather than batch refresh; useful for high-velocity onboarding pipelines. **Kharon** — specialized in UFLPA plus sanctions network analysis, strongest UFLPA Xinjiang network mapping (relevant post-FY2025 detention surge). On the workflow side: **OneTrust Third-Party DD** — workflow plus integration layer, often paired with Dow Jones data. **Aravo** — vendor risk management plus DD workflows with M&A and high-risk vendor focus. **Sayari / IntegrityRisk / Exiger** — investigative DD reports for bespoke high-risk vendor reviews. The structural tradeoff: data-only vendors require you to build your own workflow and audit trail; workflow platforms require ongoing data subscriptions. Hybrid stacks combining one data provider plus one workflow platform typically cost $50K-$500K annually depending on third-party volume. The third-party DD market sizing per Future Market Insights: $8.2B in 2025 growing to $27.4B by 2035 at 12.9 percent CAGR (estimates vary 8 to 14 percent CAGR across firms — Markets and Markets and SkyQuest project similarly). Caveat: market research projections are vendor-incentivized. The practical baseline per White & Case's 2023 Global Compliance Risk Benchmarking: 85 percent of organizations perform risk-based compliance DD on third parties, with 24 percent outsourcing entirely.

We are an M&A buyer evaluating a target with sales agents in CPI sub-40 countries with no documented FCPA DD trail — what's the realistic price-reduction math, and how do we structure the escrow?

The **Successor Liability Discount Equation** (proprietary frame) — the M&A version of third-party DD — translates an absent DD trail into a quantifiable purchase-price reduction lever. The DOJ position is unchanged through the 2025 FCPA pause: voluntary self-disclosure of pre-acquisition misconduct plus remediation equals declination with disgorgement under the DOJ September 2024 ECCP and the DOJ March 10, 2026 Department-wide Corporate Enforcement & Voluntary Self-Disclosure Policy. The new policy: a near miss still gets NPA with 50 to 75 percent fine reduction off the USSG low end. Concrete math for a $200M EV acquisition with a target that has 12 sales agents across 8 CPI sub-40 countries and no documented DD trail: (a) baseline FCPA exposure modeling — assume conservative 5 to 8 percent of revenue from the affected geographies is at risk for ABC-related claims (use Trafigura $126.9M penalty on ~$5B revenue baseline as a comparable, which implies roughly 2.5 percent of affected revenue as penalty exposure); (b) escrow construction — 3 to 7 percent of purchase price specifically tied to third-party remediation, with release contingent on (i) completed 5-Layer Screening Stack on all 12 agents within 90 days post-close, (ii) any flagged agents either remediated or terminated within 180 days post-close, (iii) DOJ voluntary self-disclosure of any historical exposure within 270 days post-close; (c) representation and warranty insurance — typical RWI premium 3.23 percent (Q4 2025 WTW Insurance Marketplace Realities 2026) with FCPA-specific carve-outs negotiable for an additional 0.5 to 1 percent premium; (d) post-close compliance integration — RFP a workflow platform plus data provider within 60 days, complete onboarding within 120 days, costing $50K-$300K depending on target size. The negotiating leverage: in 2026 with FCPA enforcement paused but UK FTPF strict liability live and DOJ ECCP unchanged, sellers cannot credibly argue that an absent DD trail carries zero discount — successor liability under UK FTPF or future US administration policy reversal makes the escrow structurally defensible.

What's the right data room for third-party due diligence, and how do the major options compare?

Third-party DD generates substantial document volume — ABC questionnaire responses, business registration certificates, beneficial ownership documentation, sanctions screening reports, adverse media reports, supply-chain trace documentation, audit reports, and remediation evidence. For a multinational with 500 to 5,000 active third parties under Tier 2 or Tier 1 DD, the document volume can exceed M&A data rooms by an order of magnitude. The honest landscape for third-party DD document management: **[Datasite](/blog/datasite-pricing)** is the enterprise standard for large multinationals with thousands of Tier 1 and Tier 2 third parties — strongest at enterprise procurement integration but expensive at per-page pricing $0.40 to $0.85. **[Intralinks](/blog/intralinks-pricing-2025)** (SS&C-owned) has deep IRM controls useful for ITAR-classified or export-controlled third-party documentation in defense, aerospace, and dual-use technology — priced $7,500 starting and $4,000 to $25,000-plus annual contracts. **OneTrust Third-Party Risk** integrates DD workflow with the broader OneTrust privacy and compliance suite — strongest if you already use OneTrust for GDPR or CCPA. **Aravo** is purpose-built for vendor and third-party risk workflows with native integration to data providers (Dow Jones, World-Check). **Diligent** for board-level compliance reporting and audit trail. **[Peony](/)** at $40 per admin per month on the Business plan with [unlimited rooms](/features/datarooms), [NDA gates](/features/nda), [page-level analytics](/features/page-analytics), and [dynamic watermarks](/features/watermarks) is best-fit for compliance teams managing third-party DD evidence collection in the $50M-$5B revenue band — particularly for [bring-down DD](/blog/m-and-a-due-diligence-process-guide) workflows where each third party needs an isolated documentation file with controlled access for compliance, legal, and external counsel. We make Peony, so this is honest disclosure: for enterprises managing 5,000-plus active third parties under DD, the workflow platforms (OneTrust, Aravo) plus data providers (Dow Jones, World-Check) are the necessary infrastructure layer; Peony complements that with the evidence collection and document storage layer rather than replacing it. For mid-market compliance teams managing 50-500 third parties, Peony plus a single data provider (LSEG World-Check or Dow Jones) often delivers full DD coverage at substantially lower cost than the enterprise-platform alternative.

Third-Party Due Diligence: The 5-Jurisdiction Framework for 2026

Quick answer: Third-party due diligence in 2026 is compliance-led investigation into intermediaries, distributors, agents, JV partners, M&A targets' third-party networks, and supply-chain counterparties — driven by FCPA, UK Failure to Prevent Fraud, OFAC sanctions, UFLPA, EU CSDDD, and counter-sanctions regimes. It is not the same as vendor due diligence (which is procurement-led TPRM evaluation). The Trump administration paused FCPA enforcement February 10, 2025, but third-party DD obligations went UP, not down — enforcement migrated to UK FTPF strict liability (effective September 1, 2025), OFAC gatekeeper liability (GVA Capital $215.99M penalty 2025), UFLPA detentions (+51 percent in FY2025), and EU CSDDD contractual flow-down. The right framework: 5-Jurisdiction Exposure Map plus 4-Tier Third-Party Risk Pyramid plus 5-Layer Screening Stack.

This is the third-party DD layer specifically. For procurement-led vendor evaluation (6-domain TPRM: security, financial, privacy, resilience, legal, ESG), see our vendor due diligence checklist. Same words, different worlds — and a recurring source of compliance team confusion.

I have built a data room used by 4,300+ customers, including compliance teams running third-party DD across multinational supply chains. This is the structural map of how compliance-led DD actually works in 2026 — distinct from procurement vendor DD, and updated for the post-FCPA-pause reality.

What is third-party due diligence, and how is it different from vendor due diligence?

Third-party DD = compliance investigation into intermediaries' integrity. It targets agents, distributors, customs brokers, license expediters, JV partners, M&A targets' third-party networks, and supply-chain counterparties. Driven by anti-bribery (FCPA, UK Bribery Act, UK FTPF), sanctions (OFAC SDN, EU Consolidated, UK OFSI), forced labor (UFLPA Entity List), and human-rights / environmental supply-chain regimes (EU CSDDD, German LkSG, Norway Åpenhetsloven). Owner: legal-compliance.

Vendor DD = procurement evaluation of a counterparty before contract. It covers 6 domains: business / financial stability, information security, privacy / compliance, operational resilience, legal / contract risk, ethics / ESG. Owner: procurement / TPRM.

Most multinationals run both. The functions sit in different parts of the org with different tooling. This post is about the compliance-led layer.

The Compliance Vacuum Paradox

Frame: The Compliance Vacuum Paradox. US FCPA enforcement collapsed in 2025 — but third-party DD obligations went UP, not down. The verified record:

February 10, 2025: Trump Executive Order "Pausing FCPA Enforcement to Further American Economic and National Security" — paused all new FCPA enforcement for 180 days (extendable to 360); first pause in FCPA's 47-year history. (Source: White House EO page.)
February 5, 2025: AG Bondi memo (preceded EO by 5 days) — DOJ redirected to bribery tied to cartels and TCOs, not general anti-corruption.
June 9, 2025: Deputy AG Todd Blanche "Guidelines for Investigations and Enforcement of the FCPA" — replaced prior policy. Four-factor analysis: (1) Combating Cartels and TCOs (priority); (2) Safeguarding Fair Opportunities for U.S. Companies; (3) Advancing U.S. National Security (defense / intelligence / critical infrastructure); (4) Investigating Serious Misconduct with strong indicia of corrupt intent. Excludes routine business practices. Enhanced senior-DOJ-level approval required.
2025 = lightest FCPA enforcement in 10-plus years. DOJ: 2 corporate resolutions (1 declination-with-disgorgement) plus 1 indictment. SEC: zero FCPA actions all year; FCPA Unit effectively dissolved. Individuals: 5 charged (down from 19 in 2024). Early monitorship terminations in 2025: Glencore (March 19, 15 months early), Albemarle (April), Stericycle (April 25 dismissed with prejudice), ABB, Honeywell.
March 10, 2026: DOJ first-ever Department-wide Corporate Enforcement & Voluntary Self-Disclosure Policy. All DOJ corporate criminal matters (except antitrust) under unified framework. Decline-to-prosecute requires voluntary self-disclosure plus full cooperation plus timely remediation plus no aggravating circumstances. Near-miss still gets NPA with 50 to 75 percent fine reduction off USSG low end.

But the obligations migrated. Enforcement moved to:

UK Failure to Prevent Fraud — strict-liability corporate offense (ECCTA 2023, effective September 1, 2025), unlimited fines. SFO November 2025 updated Corporate Compliance Guidance; Director Nick Ephgrave: "Come September, if they haven't sorted themselves out, we're coming after them."
UFLPA detentions — up 51 percent in FY2025 to 7,325 shipments (CBP statistics).
OFAC enforcement — up 5x to over $262M across 14 actions ($215.99M GVA Capital penalty alone established gatekeeper liability for non-bank financial intermediaries).
UK / France / Switzerland Anti-Corruption Prosecutorial Taskforce — founded March 20, 2025 as explicit counterweight to US enforcement retreat.
Iran snapback sanctions — UN Resolution 2231 trigger pulled by E3 (France, Germany, UK) August 28, 2025; UN sanctions reimposed September 27, 2025.
DOJ ECCP — still demands third-party DD as a compliance hallmark; September 2024 update added AI risk, data analytics, whistleblower protections, M&A post-transaction integration.

The structural read: enforcement migrated jurisdictions and statutes; the DD work itself expanded.

The 5-Jurisdiction Exposure Map

Frame: The 5-Jurisdiction Exposure Map. US-based multinationals in 2026 must satisfy third-party DD obligations across five concurrent regimes:

Jurisdiction	Statute	2025-26 status	Key DD obligation
US FCPA	FCPA 1977	Paused enforcement Feb 10 2025; DOJ ECCP intact	Successor liability for M&A; ECCP compliance hallmark
UK FTPF	ECCTA 2023, effective Sep 1 2025	Strict liability; unlimited fines	"Reasonable fraud prevention procedures" — Tier 1 + Tier 2 DD documented
EU CSDDD	Omnibus published Feb 26 2026, application Jul 26 2029	Narrowed to 5,000+ emp / €1.5B+ rev (Phase 1)	Supply-chain trace; CSDDD readiness via customer flow-down 18-24 months ahead
China counter-sanctions	Anti-Foreign Sanctions Law + Unreliable Entity List	Reciprocal exposure for US/EU/UK-compliant firms	Conflict avoidance; document policy for both compliance paths
Russia counter-sanctions	Special Economic Measures Law + 2022-25 amendments	Expanded liability for foreign businesses in Russia	Exit/wind-down DD; expat staff exposure

Diagnostic value: most companies design third-party DD around 1-2 regimes (typically FCPA + OFAC) and underweight the other 3. The September 2025 UFLPA detention surge + the UK FTPF strict liability are the two largest under-anticipated exposures for 2026.

The 4-Tier Third-Party Risk Pyramid

Frame: The 4-Tier Third-Party Risk Pyramid. Synthesized from DOJ ECCP + UFLPA priority sectors + OFAC gatekeeper liability:

Tier 1 (Maximum DD): Foreign government touchpoints (agents, distributors, customs brokers, license expediters), Xinjiang-nexus suppliers per the August 19, 2025 DHS Strategy Update high-priority sectors (cotton, apparel, polysilicon, tomatoes, PVC, seafood, aluminum + newly added caustic soda, copper, lithium, red dates, steel), SDN-adjacent counterparties, Tier-A high-risk geographies (Basel AML Index 2024 top-risk: Myanmar #1, Haiti #2, DRC #3; CPI 2024 bottom-quintile: North Korea, Syria, Yemen, Equatorial Guinea, Turkmenistan).
Tier 2 (Elevated DD): Cross-border payment intermediaries (especially FATF blacklist jurisdictions — Iran returned October 2024), distributors in CPI sub-50 countries, financial gatekeepers (VC funds, real estate syndicators, attorneys — see GVA Capital $216M precedent).
Tier 3 (Standard DD): Operating vendors in CPI 50-plus countries, common commercial counterparties without foreign-official touchpoint.
Tier 4 (De minimis DD): Domestic operating vendors with no foreign-official exposure, no Xinjiang trace, no sanctions-adjacent ownership.

Cost stack per tier (Pivot Point Security 2025 benchmarks):

Tier	DD depth	Cost per review
Tier 4	Automated screening only	$200-$500
Tier 3	Automated + light manual artifact	~$1,000
Tier 2	End-to-end with limited automation	$2,500-$3,000
Tier 1	Enhanced DD + investigative report	$6,000-$7,000
Tier 1 critical	+ Onsite audit	$15,000-$20,000

The DOJ ECCP September 2024 update specifically calls out "risk-based" DD — tiering is no longer optional, it is the expected baseline.

The UFLPA detention surge and the Polysilicon Trace Test

CBP UFLPA enforcement statistics (FY2025):

7,325 shipments stopped — +51 percent over FY2024 (4,850)
77 percent China-origin denial rate (up from approximately 60 percent in 2024)
Cumulative June 2022 - July 2025: 16,755 shipments detained, $3.69B in goods; 10,274 denied entry, 5,783 released
82.8 percent from China

UFLPA Entity List: 144 entities as of August 2025 (up from 66 in 2024) — 78 entities added in 2025 alone. January 15, 2025 additions: 37 entities (26 cotton incl. Huafu Fashion + 25 subsidiaries; 6 silicon/solar; 5 mining).

August 19, 2025 DHS Strategy Update — new high-priority sectors: caustic soda, copper, lithium, red dates, steel. Added to existing: aluminum, apparel, cotton, PVC, seafood, polysilicon, tomatoes.

Frame: The Polysilicon Trace Test. CBP detentions are now targeting smaller, lower-value components further down supply chains rather than headline large shipments — meaning total goods value is actually DOWN from cumulative averages even as shipment count jumped. The diagnostic: if your product contains ANY processed silicon, check origin 3 tiers deep, not just direct supplier. Same logic now applies to aluminum (automotive harness wiring, EV battery casings), cotton (apparel sub-components), and copper (newly added — affects electrical, semis, EV).

The House Select Committee on the CCP report found Shein and Temu likely responsible for 30+ percent of all US daily de minimis packages, with Temu admitting no UFLPA audits and no Xinjiang-origin product ban — driving Congressional pressure on de minimis loophole closure.

OFAC gatekeeper liability and the GVA Capital precedent

OFAC 2025 enforcement: over $262M across 14 actions (vs. ~$49M in 2024 — 5x increase per Sidley's "Five Key Takeaways from 2025 US Sanctions Enforcement," February 2026).

GVA Capital — $215.99M penalty (2025). San Francisco-based VC fund that managed assets of an SDN-designated Russian oligarch 2018-21. Third-largest OFAC penalty since 2019.

Frame: The Gatekeeper Liability Doctrine. Non-bank financial intermediaries — VC funds, real estate syndicators, attorneys, family offices, asset managers — must now perform bank-grade third-party DD on counterparties even if not regulated as banks. The implication for M&A buyers, VCs, asset managers, and law firms: an OFAC-equivalent screening procedure (SDN match + EU Consolidated + UK OFSI + sectoral sanctions + 50 Percent Rule ownership chain) is functionally required at intake, not optional.

Other 2025 sanctions enforcement themes:

Russia SDN additions fell 85 percent under Trump (only 74 Russian persons designated in 2025 vs. ~507/year average 2022-24); zero Russian Entity List additions.
China-related designations dominated, largely for Iran sanctions evasion (CNAS's "Sanctions by the Numbers 2025 Year in Review").
January 10, 2025 — OFAC imposed new Russian energy sanctions targeting Gazprom Neft, Surgutneftegas, 183 vessels, and oil traders; new determination prohibits US petroleum services in Russia effective February 27, 2025.
September 27, 2025 — UN Snapback Sanctions on Iran reimposed (Resolution 2231 trigger pulled by E3 August 28, 2025). Reinstates pre-JCPOA UN sanctions including asset freezes on Central Bank of Iran + major commercial banks.

The EU CSDDD Omnibus and the Compliance Plateau

The EU Omnibus Directive was published in the Official Journal February 26, 2026 (following Council adoption February 24, 2026 and Parliament adoption December 16, 2025). It simplified both CSDDD and CSRD.

CSDDD as rewritten:

Transposition deadline: July 26, 2028
Application: July 26, 2029
Phase 1 scope: greater than 5,000 employees AND €1.5B+ net worldwide turnover (narrowed from previous 1,000+ employees / €450M+)
€450M / 1,000+ employee tier: deferred to subsequent phase (~July 2029)
Non-EU companies: €1.5B+ Union-generated turnover threshold (raised from prior €450M)

National implementation status (May 2026):

Germany LkSG — enforcement narrowed October 1, 2025 (BAFA discontinued report reviews; fines only for "particularly serious" breaches by extent, scope, or irreversibility; September 2025 draft law proposed abolishing reporting obligation; underlying DD obligations remain).
Norway Åpenhetsloven — continues to apply to ~~9,000 companies; annual DD report by June 30; fines up to 4 percent of turnover or NOK 25M (~~$2.4M).

Frame: The CSDDD Plateau. Companies in the €450M-€1.5B revenue band now have a 3-year window of regulatory respite at the EU-statute level — but contractual flow-down from larger covered customers means the practical DD obligation arrives EARLIER for mid-market suppliers than the formal timeline indicates. The Contractual Flow-Down Forecast diagnostic: survey your top-10 EU enterprise customers' CSDDD readiness, because their compliance burden cascades to you 18-24 months before formal CSDDD applicability.

The 5-Layer Screening Stack

Frame: The 5-Layer Screening Stack. Third-party DD in 2026 is a sequenced screening flow, not a single FCPA exercise:

Layer 1 — Sanctions

OFAC SDN list, EU Consolidated List, UK OFSI list
Ownership chain under OFAC 50 Percent Rule
Match types: exact + phonetic + transliterated
Red-flag threshold: any match → immediate hold + enhanced DD

Layer 2 — UFLPA + Supply Chain Trace

Direct supplier vs. UFLPA Entity List (144 entities as of Aug 2025)
Trace supply chain 3 tiers deep for 12 high-priority sectors
Red-flag threshold: any tier-3 Xinjiang trace or named UFLPA entity → rebuttable presumption documentation per UFLPA Section 3 or remediation

Layer 3 — PEP / UBO / Adverse Media

PEP screening (LSEG World-Check, Dow Jones R&C, LexisNexis Bridger)
UBO ID — note FinCEN March 21, 2025 exemption of US companies from BOI reporting under Corporate Transparency Act; foreign reporting companies remain obligated
Multi-language adverse media (Mandarin, Russian, Arabic, Spanish, Portuguese minimum)
Red-flag threshold: any PEP, UBO obscurity, ABC/Sanctions/Fraud-tagged adverse media → enhanced DD

Layer 4 — Anti-Bribery History + Country Risk

Recent settlements: RTX/Raytheon Oct 2024 $950M total / $124M+ FCPA portion; Trafigura March 28 2024 $126.9M FCPA plea for Petrobras Brazil bribes; SAP January 2024 $220M+; Albemarle 2024-25; ABB; Honeywell
Country risk: Transparency CPI 2024 global average 43 for 13th year, two-thirds of 180 countries below 50; Basel AML Index 2024 across 164 jurisdictions; TRACE Bribery Matrix 2024 edition (cleanest Norway 7 / Switzerland 10; highest risk North Korea 92 / Turkmenistan 88 / Syria 86)
Red-flag threshold: country CPI below 40, or counterparty with prior ABC enforcement → enhanced DD

Layer 5 — ESG / Forced Labor / Sustainability

Beyond UFLPA: Norway Åpenhetsloven, residual Germany LkSG, EU CSDDD readiness via contractual flow-down forecast
Conflict minerals (Dodd-Frank 1502 Form SD filings — SEC has not actively enforced IPSA element since 2017)
Red-flag threshold: missing supply-chain traceability, missing supplier code of conduct attestation, supplier in flagged commodity → ESG enhanced DD

The Successor Liability Discount Equation (M&A)

Frame: The Successor Liability Discount Equation. For M&A buyers, an absent third-party DD trail translates into a quantifiable purchase-price reduction lever.

DOJ position is unchanged through the 2025 FCPA pause: voluntary self-disclosure of pre-acquisition misconduct + remediation = declination with disgorgement under the September 2024 ECCP and the March 10, 2026 Department-wide Corporate Enforcement Policy. Near miss = NPA with 50 to 75 percent fine reduction off USSG low end.

Concrete math for a $200M EV acquisition with 12 sales agents across 8 CPI sub-40 countries and no documented DD trail:

Baseline FCPA exposure — conservative 5 to 8 percent of revenue from affected geographies is at risk. Trafigura $126.9M penalty on ~$5B revenue baseline implies roughly 2.5 percent of affected revenue as penalty exposure.
Escrow construction — 3 to 7 percent of purchase price tied to third-party remediation. Release contingent on:
- Completed 5-Layer Screening Stack on all 12 agents within 90 days post-close
- Flagged agents remediated or terminated within 180 days
- DOJ voluntary self-disclosure of historical exposure within 270 days
Representation and warranty insurance — typical RWI premium 3.23 percent (Q4 2025 WTW Insurance Marketplace Realities 2026) with FCPA-specific carve-outs negotiable for additional 0.5 to 1 percent premium.
Post-close compliance integration — workflow platform + data provider RFP within 60 days, onboarding within 120 days. Cost: $50K-$300K depending on target size.

Negotiating leverage: in 2026 with FCPA enforcement paused but UK FTPF strict liability live and DOJ ECCP unchanged, sellers cannot credibly argue zero discount. Successor liability under UK FTPF or future US administration policy reversal makes the escrow structurally defensible.

Honest platform comparison

The third-party DD platform market bifurcates into data providers (lists/feeds) and workflow platforms (orchestration/audit-trail). Most large enterprises use one of each.

Data providers

Platform	Owner	Strength	Best for
LSEG World-Check	London Stock Exchange Group	PEP + regulatory watchlist depth	Banking, financial services
Dow Jones Risk & Compliance	Dow Jones / News Corp	3M+ entities; adverse media + ESG + ABC + export controls	Multinationals with broad geographic exposure
LexisNexis Bridger Insight XG	LexisNexis Risk Solutions	Sanctions + PEP + negative news, integrated with LN identity	Risk-management orgs already on LexisNexis
Moody's (Orbis + Maxsight)	Moody's Analytics	Corporate ownership analytics + sanctions + securities mapping	M&A buyers, asset managers
NICE Actimize WL-X	NICE	AI-driven real-time sanctions screening	Banking transaction screening
ComplyAdvantage	ComplyAdvantage	AI-native AML data with continuous monitoring	High-velocity onboarding pipelines (fintech, crypto)
Kharon	Kharon	UFLPA + sanctions network analysis	Supply-chain heavy / Xinjiang exposure

Workflow platforms

Platform	Strength	Best for
OneTrust Third-Party DD	Workflow + data integration; often paired with Dow Jones	Enterprises already on OneTrust privacy suite
Aravo	Vendor risk + DD workflows; data provider integrations	M&A buyers, high-risk vendor portfolios
Sayari / IntegrityRisk / Exiger	Investigative DD reports for bespoke high-risk reviews	Tier 1 critical third parties
Diligent	Board-level compliance reporting + audit trail	Public companies, regulated industries

Market context

Third-Party Risk Management Market sizing (2025):

Future Market Insights: $8.2B in 2025 → $27.4B by 2035 (12.9 percent CAGR)
Markets and Markets: $8.57B 2024 → $37.34B by 2035 (14.2 percent CAGR)
SkyQuest: $11.11B 2025

Caveat: market research projections are vendor-incentivized. Practical baseline per White & Case's 2023 Global Compliance Risk Benchmarking: 85 percent of organizations perform risk-based compliance DD on third parties; 24 percent outsource entirely.

Honest VDR comparison for third-party DD evidence storage

Beyond the data and workflow layers, third-party DD generates substantial document volume — ABC questionnaire responses, beneficial ownership documentation, sanctions screening reports, supply-chain trace documentation, audit reports, remediation evidence. The VDR layer:

VDR	Best for	Pricing (2026)	Honest tradeoff
Datasite	Enterprise multinationals with 1,000+ Tier 1-2 third parties	$25K+/year; per-page $0.40-0.85 legacy	Enterprise procurement integration; expensive at volume
Intralinks	ITAR / export-controlled defense and dual-use	$7,500 starting; $4K-$25K+ annual	Deepest IRM controls; less suited to broad mid-market third-party portfolios
OneTrust	Workflow + DD evidence integrated	Quote-based enterprise	Workflow-first; document storage is feature, not core
Peony	Mid-market compliance teams managing 50-500 third parties	$40/admin/mo flat (Business)	Unlimited rooms, NDA gates, analytics, watermarks; 5-min setup; complements (does not replace) workflow + data layers

We make Peony, so this is honest disclosure: for enterprises managing 5,000-plus active third parties under DD, workflow platforms (OneTrust, Aravo) + data providers (Dow Jones, World-Check) are necessary infrastructure. Peony complements that with the evidence collection and document storage layer rather than replacing it. For mid-market compliance teams managing 50-500 third parties, Peony + a single data provider (LSEG World-Check or Dow Jones) often delivers full DD coverage at substantially lower cost than the enterprise-platform alternative.

Vendor Due Diligence Checklist — procurement-led TPRM (6-domain framework) — distinct from this compliance-led post
M&A Due Diligence Process Guide — broader DD process map; this post handles the third-party layer specifically
Cybersecurity Due Diligence — DOJ ECCP September 2024 added AI risk + data analytics, increasingly intersects with cyber DD
Sell-Side Due Diligence — VDD for sellers; targets undergoing M&A should pre-empt third-party DD on their own networks
IT Due Diligence — overlaps with Layer 3 (UBO + adverse media tech stack)
Investment Due Diligence Checklist — investor-side 7-pillar checklist
Due Diligence for IPO — third-party DD is part of S-1 risk factor disclosure for cross-border IPOs
Virtual Data Room Pricing Guide — full vendor landscape

Streamline Due Diligence

Third-Party Due Diligence: The 5-Jurisdiction Framework for 2026 (Post-FCPA Pause)

Third-Party Due Diligence: The 5-Jurisdiction Framework for 2026

What is third-party due diligence, and how is it different from vendor due diligence?

The Compliance Vacuum Paradox

The 5-Jurisdiction Exposure Map

The 4-Tier Third-Party Risk Pyramid

The UFLPA detention surge and the Polysilicon Trace Test

OFAC gatekeeper liability and the GVA Capital precedent

The EU CSDDD Omnibus and the Compliance Plateau

The 5-Layer Screening Stack

Layer 1 — Sanctions

Layer 2 — UFLPA + Supply Chain Trace

Layer 3 — PEP / UBO / Adverse Media

Layer 4 — Anti-Bribery History + Country Risk

Layer 5 — ESG / Forced Labor / Sustainability

The Successor Liability Discount Equation (M&A)

Honest platform comparison

Data providers

Workflow platforms

Market context

Honest VDR comparison for third-party DD evidence storage

You might also like

Streamline Due Diligence

Third-Party Due Diligence: The 5-Jurisdiction Framework for 2026 (Post-FCPA Pause)

Third-Party Due Diligence: The 5-Jurisdiction Framework for 2026

What is third-party due diligence, and how is it different from vendor due diligence?

The Compliance Vacuum Paradox

The 5-Jurisdiction Exposure Map

The 4-Tier Third-Party Risk Pyramid

The UFLPA detention surge and the Polysilicon Trace Test

OFAC gatekeeper liability and the GVA Capital precedent

The EU CSDDD Omnibus and the Compliance Plateau

The 5-Layer Screening Stack

Layer 1 — Sanctions

Layer 2 — UFLPA + Supply Chain Trace

Layer 3 — PEP / UBO / Adverse Media

Layer 4 — Anti-Bribery History + Country Risk

Layer 5 — ESG / Forced Labor / Sustainability

The Successor Liability Discount Equation (M&A)

Honest platform comparison

Data providers

Workflow platforms

Market context

Honest VDR comparison for third-party DD evidence storage

Related resources

You might also like